A step-by-step guide for protecting sensitive data in docker

Managing the password, access tokens and private keys are being tedious in the application. Any small mistakes accidentally expose all the secret information. Even storing such thing in docker images can be easily accessible one should just run the image in the interactive mode container and all your application code is available in containers. Docker provides secrets to protect all secret data.

This blog explains the low-level of storage information as well as secured access to docker secret. so, let’s get started.

What is Docker Secret?

A secret is a blob of data may consist of password or any other sensitive information. Docker secret centrally manages this data and securely transmit to containers that need to access it. A secret is encrypted over transport and only accessible to granted containers. Docker secret only works in swarm services, not available to the standalone container. Let’s understand how docker secret works.

Architecture

When a docker secret is created the secret information is transmitted from docker to its swarm manager where it is stored in Raft log, which is encrypted and that encrypted log is circulated across the other manager to have higher accessibility over the swarm. Docker service can access the secret by mounting an encrypted location to it. The mounting location is /run/secrets/ in container. The secret is decrypted by the worker which is connected to that swarm. Let’s follow the example to understand it practically.

Example

Starts with a very basic example in which we are going to provide secret of MySQL to its container and after that, we’ll cross-check by login with same credentials inside the container. As told in the beginning docker secret only works in swarm mode so first create a swarm. One way to create swarm by using VirtualBox on the single machine. You may create on multiple machines.

Make sure docker, docker-machine, as well as VirtualBox, is installed on your system before running above commands. Now assures that machines are correctly installed and running using command docker-machine ls. The output is like:

Both username and password need to be provided as the secret to service. For the service, we are going to pull an image of MySQL from dockerHub and then run the same as service by providing secrets to it. Its necessary to provide root_password to make the image of MySql run.